git-worktree-setup

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed worktree setup helper, but users should review generated hooks and secret-copying behavior before enabling it.

Install if you want an agent to create or update worktree bootstrap automation. Before enabling hooks, review the generated scripts/setup-worktree.sh resource declarations, confirm which files contain secrets, keep copied env files gitignored, and run the script manually once before allowing automatic SessionStart or WorktreeCreate execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions explicitly direct the agent to copy secret-bearing files like `.env*`/`.dev.vars` and merge hook config into tool settings, but they do not require a clear user warning or confirmation immediately before those file mutations occur. This is risky because it can silently duplicate secrets into additional worktrees and persist auto-executing hooks in repo config, increasing exposure and surprise side effects.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The recipe explicitly copies a credential-bearing file (`apps/api/.dev.vars`) into each worktree and notes only that secrets may differ, but it does not warn that duplicating secrets into additional worktrees expands secret exposure and persistence. In this skill’s context, the generated scripts are meant to automate repository setup across many worktrees, so normalizing secret copying increases the chance of accidental commit, broader filesystem exposure, or insecure retention of environment secrets.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script will recursively delete any existing file or directory at the destination path before replacing it with a symlink, with no confirmation, backup, or path allowlist. In an auto-triggered worktree bootstrap context, this can destroy uncommitted local files or generated assets in the worktree if the path already exists, making it a real integrity/availability risk even though it is not an attacker-controlled code execution primitive.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal